Security Hole In Windows 7 UAC

"Gerald" by plasmacutter · 2009-02-01 22:09 · Score: 5, Funny

Everyone knows from recent news that microsoft has removed the innards of windows 7 and replaced them with "gerald", a lovable computer literate field mouse.

Gerald is cheap, congenial, and zippy, but unfortunately has very poor judgment.

--
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!

Re:"Gerald" by MasterOfMagic · 2009-02-02 03:21 · Score: 2, Informative

He's getting very old, but he's a good mouse.

Short: Don't work as Administrator by Anonymous Coward · 2009-02-01 22:09 · Score: 3, Insightful

This was discussed elsewhere (heise.de) earlier...

Short answer: this only works iff you are logged in as Administrator already...

Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning". Even adding captchas/moving the warning around/whatever will only be a fake-solution that will only work 'till there's a better script.

Re:Short: Don't work as Administrator by ta+bu+shi+da+yu · 2009-02-01 22:43 · Score: 2, Funny

Apparently Raymond Chen posted a response at http://blogs.msdn.com/oldnewthing/archive/2009/01/21/9353310.aspx
It appears that they are getting a "Service unavailable" prompt. Could it really be that they are running their blogs on an IIS server that is running Windows 7? Shock horror, it appears that someone has elevated privileges using vbscript to bypass UAC and has changed the IIS app pool to run under a guest account!

--
XML is like violence. If it doesn't solve the problem, use more.
Re:Short: Don't work as Administrator by Anonymous Coward · 2009-02-01 22:53 · Score: 5, Informative

if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning"
That's completely wrong. The entire point of the UAC prompt is that it can't be automatically dismissed by simulated user input. The UAC prompt runs on a separate virtual desktop from everything else (which is why it flickers), and the kernel enforces that only real user input can touch it, and you can't run your own code in the kernel without going through a UAC prompt, so it's secure.
If this guy is right and UAC can be disabled without user input, then the entire UAC system instantly becomes pointless. Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts. If you can't do that, then UAC has failed. Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.
Re:Short: Don't work as Administrator by nstlgc · 2009-02-01 23:11 · Score: 4, Insightful

Saying that you shouldn't be running as administrator is stupid; UAC's purpose was to make it safe to use administrator accounts.
Uh no. UAC's purpose is to make it possible (in practice) not to use administrator accounts. Pretty much the complete opposite.

--
I'm Rocco. I'm the +5 Funny man.
Re:Short: Don't work as Administrator by Darkon · 2009-02-01 23:29 · Score: 3, Insightful

Anyway, Administrator accounts are the default and therefore what 99% of users are going to be using.
And only when Microsoft change this will Windows be half way towards being secure.
Re:Short: Don't work as Administrator by Anonymous Coward · 2009-02-01 23:44 · Score: 4, Informative

I'm afraid you're wrong. When UAC is on programs you execute are run under your user account which is normally (by default) a member of the Administrators group. However, the programs are run in a special mode where they are prevented from actually using most of the administrative rights granted to your account. (You can read all about it in Wikipedia.) When a UAC prompt comes up you don't have to type a password because you're not logging in to a different account; you're just granting permission to use the full administrative rights your account already has.
It is also possible to use UAC from a non-administrator account. In this mode you must type a password every time a UAC prompt comes up, instead of just clicking "continue". Few people do this because it is not the default setup and it's even more annoying than regular UAC.
Re:Short: Don't work as Administrator by drsmithy · 2009-02-02 00:24 · Score: 5, Insightful

Prompting the user when this setting is altered is quite worthless - if I have a script on my computer that can simulate keypresses and mouse clicks *nothing* will hinder it to click on "I've read the warning".
You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?
Re:Short: Don't work as Administrator by Darkon · 2009-02-02 00:49 · Score: 2, Insightful

Which was done with Vista.
No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.
Re:Short: Don't work as Administrator by Kjella · 2009-02-02 00:55 · Score: 5, Insightful

The real problem, and one that doesn't have a good techincal or sociological fix, is that most windows users are doing administration duties that far exceed their skills. Users get confronted with all sorts of dialogs they don't understand but just want to get on with it. I bet you, that if you popped up a page to someone saying "This video needs a newer version of flash" and redirected them to some completely bogus page that gave them a plugin with a completely bogus signature most people would go ahead and install it anyway. What is the latest version anyway? Couldn't even remember who makes it, and those companies keep on merging and rebranding and whatnot. No amount of UAC, or running as an unprivilidged user could possibly fix that because they are the ones with the admin keys and they're handing them out too easily.
Most users don't understand trust, they want to see a nice little lock icon telling them this site is safe, this site is bad. Same goes for plugins. Same goes for software. If you try educating them they'll just go blank *bad thing* *bad thing* *REALLY bad thing* but they won't understand and just want the simple answer. There's some very professional looking sites out there that appear to give you good software. They often even look better than the real deal because the frauds are all about appearances while the real sites focus on delivering good software, no offence intended. While it does amount to some degree of security scissors, most users would be better of if they only downloaded from safe, verified sources of software and plugins. If only Linux would stop asking all the other technical questions, the repository model would be much better for these people. It's not the end-all and be-all of security but it concentrates 99% of the superuser tasks in one place and makes it that much harder for some random application to throw up a superuser prompt.

--
Live today, because you never know what tomorrow brings
Re:Short: Don't work as Administrator by 0100010001010011 · 2009-02-02 01:18 · Score: 2

Why is it that I can run as an 'admin' account on both Linux and OS X with out this happening? If I need the power I have sudo from the command line or OS X gives me a prompt.
Re:Short: Don't work as Administrator by drsmithy · 2009-02-02 01:23 · Score: 3, Informative

No it doesn't. If you install Vista with all the defaults then you are a member of the Administrators group. You still have to go out of your way if you want to start out with a plain old unprivileged user.
"Administrator" in Vista is not the same as "Administrator" in earlier versions. It is akin to be being an 'admin' in OS X or Ubuntu - it just means you can elevate your privileges if required, not that you can do whatever you please.
Re:Short: Don't work as Administrator by Jeremy+Visser · 2009-02-02 01:34 · Score: 4, Informative

You mean apart from the inability of your script to interact with the separate Desktop that UAC prompts occur on ?
Right on the money.
I use Synergy 2, which lets me control my keyboard and mouse from another computer over the network. It's functionally no different to a keypress simulator like the G.P. mentioned.
When using Synergy, I cannot use the remote mouse and keyboard to accept UAC prompts. I have to move to the local machine and physically click the button locally for it to work. Same goes for administrative apps -- if an app is running with administrative privileges, Synergy cannot register clicks on the privileged window. Unless I run Synergy itself as an administrator.
Re:Short: Don't work as Administrator by mpeskett · 2009-02-02 01:55 · Score: 5, Interesting

When has a windows administrator account ever meant that you could do whatever you please?
I'm sat here right now, running an admin account on XP, and if I try to delete the "Desktop" folder in my own account, I can't. It tells me "Desktop is a Windows system folder and is required for Windows to run properly. It cannot be deleted". Never mind the fact that I've changed the location of that folder by fiddling with the registry to put it on a separate hard drive, the redundant copy on C:\ is still protected against deletion.
Contrast this against the stories about *nix systems where some fool runs rm -rf as admin and it only stops deleting things when it deletes the delete command itself... that is being allowed to do whatever you want.
Re:Short: Don't work as Administrator by Anonymous Coward · 2009-02-02 02:13 · Score: 3, Informative

The short answer: Because you're not really running as an admin. On OS X, the "admin" accounts are not really admins. They are allowed to authenticate to use root privileges however. To put it simplified... for *nix, regular user accounts are a member of the "users" group. If you decided that user account should have access to the sudo command, you add them to the "wheel" group (at least that's how it's setup on my distro).
Now, let's compare to Windows Vista/Windows 7: Your "regular" user account is actually a member of the administrators group. The application in question is asking permission to use your full administrative permissions. You are not inputting a password to authenticate higher privileges. You already have them, you just saying "sure, go ahead" to the application/installer/whathaveyou.
Re:Short: Don't work as Administrator by rhsanborn · 2009-02-02 02:18 · Score: 3, Insightful

Something they've been trained to do as a result of shortcuts and hacks used by applications written for Windows for years. I'm reasonably sure a check book balancing application shouldn't need administrator privileges to run, but so many applications are written that way, probably a little because it's easier, and a little because so many people use administrator accounts that it doesn't matter.

Microsoft is in a tough position with regards to this. A large portion of the annoyance with Vista was 1) compatibility, which stemmed from bad time frames and poor vendor interaction, admitted, but also from enforcing proper security and structure that they hadn't done, that broke poorly written code. 2) from UAC going off very frequently due to applications constantly trying to elevate their privileges which is in most cases unnecessary.
Re:Short: Don't work as Administrator by mario_grgic · 2009-02-02 02:24 · Score: 3, Informative

Well it's not that simple. On OS X for example you can be an administrator and you still can't delete system files. You need to be root to do that. Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do. On Linux you can.
So for that hypothetical admin user to delete everything he would have to first become root (either by doing sudo, or starting a root shell, being authenticated first) and then executing rm -rf /
So, to recap, being an Administrator and just executing rm -rf / will not delete system files.

--
As the island of our knowledge grows, so does the shore of our ignorance.
Re:Short: Don't work as Administrator by GooberToo · 2009-02-02 02:46 · Score: 2, Informative

Uh no. UAC's purpose is to make it possible (in practice) not to use administrator accounts. Pretty much the complete opposite.
So how is one to use an administrator account without using an administrator account. You've completely missed the boat here. The gp is correct and you are wrong. The point is to allow secure access to administrator accounts without having to actually, explicitly log in as a desktop user as an administrator. So in that sense, you are right, but it does not change the fact the entire point, as the gp stated, it so allowed secure access to administrator accounts.
Re:Short: Don't work as Administrator by denis-The-menace · 2009-02-02 02:52 · Score: 3, Insightful

Easier said than done.
Many developers are lazy and create apps that only work if the USER is an administrator. Other times it will only work if the user that installed the app is the USER (Again, need administrator to install it in the first place!).
BTW: Fixing this is my bread and butter.

--
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Re:Short: Don't work as Administrator by TyIzaeL · 2009-02-02 03:13 · Score: 2, Informative

This doesn't apply to just Windows users. Its referred to as the dancing bunnies problem. It doesn't matter what OS the user is on. If they think they want what the particular malware claims to offer, they'll go through all the administrator prompts you can come up with to get what they want.
Re:Short: Don't work as Administrator by ThaReetLad · 2009-02-02 03:27 · Score: 2, Insightful

This is probably the real point of UAC. To get developers to write software that doesn't need admin rights

--
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
Re:Short: Don't work as Administrator by afidel · 2009-02-02 03:45 · Score: 2, Informative

Actually the GP was right, your account does not have the admin bits set in the token when using UAC. Responding to the dialog adds those pieces to the token for that app on a temporary basis.

--
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Re:Short: Don't work as Administrator by drsmithy · 2009-02-02 03:54 · Score: 4, Informative

Also, in OS X you can not create "root account", and login into your session as root. It is simply not allowed and impossible to do.
sudo su -
Congratulations, you're logged in as root.
sudo passwd
Even more congratulations are due, you now have the ability to login from the login window as root.
So, to recap, being an Administrator and just executing rm -rf / will not delete system files.
Actually, on an OS X system there are (or were, I haven't looked for a while) a lot of system-level files (including a lot of stuff in /Applications, like Installer.app) that are writable by any 'admin' user. So even without elevating, an 'admin' user could do a lot of damage to an OS X machine.
Re:Short: Don't work as Administrator by kimvette · 2009-02-02 04:13 · Score: 2, Interesting

In Linux (and OS X if you enable the root login) when you're root, it's assumed you know to not shoot yourself in the foot. In OS X, an admin isn't root. To actuall be root, you need to edit a config file (I forget which one) to enable the root login, then you can log in as root. However, OS X 10.2 and later make the admin process so friendly there is little to no need to ever log in to the desktop environment as root. If you need root in OS X, it's generally only for custom configurations of apache or samba, for which sudo will generally work fine, or you can just su - root. No need to log in to root via the GUI. Really.
As a regular user (even a wheel member) most distributions (and OS X) are smart enough to prompt you for the root password if you're requesting changes which require root to do so, and those credentials are either cached for that app and its children (in the case of YaST on SUSE), or, like sudo, you're authenticated for a period of time (some versions of OS X, I don't know if the current operates this way since my Mac is too old for leopard).
The problem is Windows' security model is hopelessly broken due to the shortcomings that come with backwards compatibility all the way to Windows 2.x and 3.x - on the old 16-bit environments it was never designed for networking to begin with (the network modules are fugly hacks) and are certainly not multiuser, so security was not even a consideration. This line of thinking continued even through Windows for Workgroups (which did have native networking) where security was only considered on the server side, and even Windows 95 which was fully networkable security was hardly considered because it was not considered a multiuser system and one of the selling points was near-100% backwards compatibility with all your favorite desktop applications - unfortunately including the ones which love to litter %windir%\*
Windows 2000 and Windows XP came from a grown-up OS called NT, but brought with it the backwards compatibility promised by Windows 95. This is due to applications like Quicken, Quickbooks, etc. - essentials for the continued success of Windows as a desktop operating system. Unfortunately those applications require administrator access because they were developed on Win16 and ported to Win32 with NO consideration for following best practices, especially for the install process. (note: when I've developed installers, all the way back to 16-bit, I've always followed best practices to avoid those issues on the client side even though my employer at the time would never pay the dough for the Windows logo certficiation process. My installers would have passed though! It doesn't take much effort to do so, and it makes maintainability easier and eases the load on support by avoiding DLL hell).
So, security has been broken by design. Vista and Windows X64 attempt to limit the problem through limited sandboxing and Windows File Protection, and Windows XP (x86) through Windows File Protection, but running older apps incur so many UAC prompts (or just plain won't work) that one is better off just turning off UAC and relying on antivirus and antispyware software. The only reasonable way to have backwards compatibility with previous Windows versions without broken security is through a compatibility layer like wine (but do you think M$ will really contribute to wine?!) or through virtualization, probably breaking directx components in those apps in the process.

--
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Re:Short: Don't work as Administrator by plague3106 · 2009-02-02 04:34 · Score: 2, Informative

Um, that's what they've done. User programs that are causing UAC prompts are built wrong; they're trying to write to \Program Files, and that's been a no-no since Win2k. That's why many programs require Admin access. UAC was SUPPOSED to be annoying so that developers were forced to fix their badly implemented applications. That was the idea anyway, whehter or not it had the intended affect I don't know. Probably not, since people bitch about UAC (and many of these same who run Linux have no problem supplying the root password when they run an X admin tool from a normal user account).
Re:Short: Don't work as Administrator by Firehed · 2009-02-02 06:17 · Score: 2, Insightful

UAC, believe it or not, can't be controlled by scripts or other software-based inputs - it only accepts input from physical hardware. Which is a good thing (assuming this bug is fixed which would get around the need to do so, anyways). I don't know the tech that's causing that to happen (a sibling poster explains it better), but I can say that it DOES work.
Or, at least, this was the case using a Vista admin account. Found it out the hard way when trying to click OK in a UAC prompt via peripherals being shared with Synergy. Can't speak for Windows 7, but I can't imagine they've intentionally made it less secure. It confused the hell out of me for a while, but when I finally figured out what was happening I was in fact glad that they'd done it that way (even if it still meant that I had to find a spare mouse to click OK in the prompt with actual hardware).
See- this is why we have betas. Stupid but non-obvious bug that somehow slipped through can now be fixed before it affects millions. I hate to give MS credit (especially as a Mac user), but they really seem to be getting a lot right with 7. Not to the point of switching back, but hopefully to the point where the whiny fanboys from both sides may take a couple moments to STFU.

--
How are sites slashdotted when nobody reads TFAs?

The beta worked! by jamesmcm · 2009-02-01 22:09 · Score: 5, Funny

The beta worked perfectly!
Even the malware will be ready for Windows 7!

Microsoft already replied by DavidR1991 · 2009-02-01 22:10 · Score: 5, Informative

MS have already said that this flaw is "by design" to stop the appearance of too many UAC prompts when users alter their own system settings

http://www.istartedsomething.com/20090131/microsoft-dismisses-windows-7-uac-security-flaw-insists-by-design/

Re:Microsoft already replied by Jurily · 2009-02-01 22:53 · Score: 4, Insightful

That's the problem with UAC. Too many prompts and users will just get frustrated and either disable it or blindly hit Ok.
I disagree. I used Vista exclusively for 5 months, and I only ever got a UAC question when I was trying to change some system settings, and that one time when I didn't, it turned out to be a trojan.
It's not that hard to anticipate a UAC question, really. Just ask yourself: "Would Linux require root for this?"
Actually, UAC is much more permissive.
And the people who get frustrated with it, shouldn't have admin rights in the first place.
Sure, the initial setup and configuration is packed with these, but it's worth it.
Re:Microsoft already replied by Yvanhoe · 2009-02-01 22:55 · Score: 2, Insightful

defectivebydesign, then ?

--
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Re:Microsoft already replied by Anonymous Coward · 2009-02-01 22:56 · Score: 3, Insightful

they should really make the user account non admin by default, and fuck up all programs written by twelve years old kids each assuming to be the god of the machine. I did tried to use a non admin account, but almost no game worked correctly, even most of the non Microsoft applications tried to write garbage everywhere in the system; no really, the log file in the program folder or windows directory, the savegame in a profile stored beneath the installation directory....
Re:Microsoft already replied by Nursie · 2009-02-01 23:00 · Score: 2, Interesting

UAC is horrible.
Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".
It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".
It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.
YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.
Re:Microsoft already replied by The+New+Andy · 2009-02-01 23:02 · Score: 2, Insightful

From Microsoft's reply:

* The only way this could be changed without the userâ(TM)s knowledge is by malicious code already running on the box.
* In order for malicious code to have gotten on to the box, something else has already been breached (or the user has explicitly consented)
What exactly is UAC then trying to protect people against? If protecting against malicious code isn't in the requirements, then it seems pretty useless.
Re:Microsoft already replied by cgenman · 2009-02-01 23:04 · Score: 5, Interesting

I kind of agree with the less-is-more approach to end user interactions. I get a lot of clients who have learned to cope with the modern click-prompt overload by simply clicking somewhat randomly on everything that comes up in front of them. Frequently, this leads to disabling some vitally important part of their computer in a way that any person who actually read prompts would have easily avoided.
Sadly, the less computer savvy you are, the more likely you are to be constantly deluged with upgrade prompts from Adobe, install requests for Safari from Apple, and the multitude of prompts when Hewlett Packard's genuinely awful drivers crash. Prompts to continue subscriptions to Symantec, upgrade to the latest acrobat, log in to windows messenger, etc. And, of course, each separate component has its own prompts. "Click here to upgrade. I see you've clicked here to upgrade, would you like me to go to the internet and upgrade? Upgrade will begin when you click the OK button below. Upgrading... Upgrade has completed, click OK below to continue. Thank you for upgrading, please visit unintelligiblylongwebsite.com/pagenobodywilleverclickon.html to give us feedback on this process. Press Dismiss below to return to the installer. Thank you for returning to the installer. If you are satisfied with this interaction, press OK below."
90% of users have no idea what their computer is doing, or should be doing, under the hood. If they weren't already suffering from click-fatigue, they wouldn't be the right people to decide on technical issues anyway.
Obviously, it shouldn't be possible to disable UAC without actually getting a UAC prompt. But in general, UAC is an annoying system that most users completely tune out. Instead of hightening user knowledge, it simply drowns out any real issues.

--
The ______ Agenda
Re:Microsoft already replied by nstlgc · 2009-02-01 23:16 · Score: 3, Informative

Please, it's not just sudo, it's heap of other crap too. It's "I stopped these things from being launched at startup and there's no way to override this behaviour".
Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM.

It's "I'm silently going to re-route any writes to the C:\Program Files\X directory to a virtual subdirectory under the user account, so that users can see different versions of files when looking in the same place".
There's no good reason for writing there, and doing so is exactly what messed up "running as an administrator" in XP and below. Ask the author of your application to make it less retarded.

It's a lot of annoying, unnecessary and unchangeable crap. That's why I switched it off anyway.
Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC. It's almost like you're being proud of being an idiot.

YMMV, you may not want an ext2 driver (not MS signed/approved!) launched at system startup, and you may not ever want to edit any configuration files stored in program files (or never launch processes as another user) but I consider those pretty important.
Yes, I'd prefer that they would install like normal drivers (not at system startup) and that they go through the effort of getting signed. And if you're still on 32bit Windows, this is not even a problem.

But it kinda confirms my thought that you were running vague software written by Linux people for Windows.

--
I'm Rocco. I'm the +5 Funny man.
Re:Microsoft already replied by mwlewis · 2009-02-01 23:18 · Score: 4, Insightful

Isn't that exactly what you quoted? If it's possible for malware to do this on your machine, then somehow it's already gotten past UAC, whether by some other hole, or by the user allowing it. What, exactly, do you suppose UAC is supposed to do in that case?

--
JOIN US FOR PONG!
Re:Microsoft already replied by Nursie · 2009-02-01 23:34 · Score: 3, Interesting

"Your application is trying to be launched at startup in an fishy way. For some reason, my apps are not. HMM."
No, my application is not signed or recognised by MS, who believe they should have the final say over these things. A nice little box pops up saying "your system administrator has set policies to stop these things running at startup" and allowing you to click on them to start them up.
*I* am the system administrator and there was no way I could find to stop this behaviour, despite looking in all the UAC dialogs.
"There's no good reason for writing there,"
Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.
"doing so is exactly what messed up "running as an administrator" in XP"
No, what messed up "running as administrator" was "running as administrator". I don't need to write to program files to fuck up your system, if anything you run has admin privileges.
"Is it? I've seen many, many ways to reduce or even eliminate the warnings, even without turning of UAC."
Where did I complain about warnings?
I don't give a crap about warnings.
"It's almost like you're being proud of being an idiot."
And it's almost like you can't read.
"if you're still on 32bit Windows, this is not even a problem."
This is all on Vista 32 bit.
But it kinda confirms my thought that you were running vague software written by Linux people for Windows.
And what *exactly* do you mean by that? WTF is wrong with software not written by a company big enough to pay MS to get things signed? Shouldn't I, as an educated power user, be able to decide to run what I want?
Why shouldn't I have the flexibility to run windows with the UAC security turned on (so I get warned about unautorised system changges), but be able to add startup exceptions of my choosing?
It's a clusterfuck, it's a bad hack which fails to leave any room for flexibility, whilst at the same time implementing dodgy compromises in the name of backward compatibility.
Re:Microsoft already replied by MrNaz · 2009-02-02 00:39 · Score: 3, Insightful

There is no way to properly prevent further attacks once a box is compromised. That's the nature of being compromised.

--
I hate printers.
Re:Microsoft already replied by macs4all · 2009-02-02 00:54 · Score: 3, Insightful

"There's no good reason for writing there,"
Says who? Why is it wrong to keep configuration files, which are changed very infrequently, in with the program? And if you feel that strongly, why not actually stop me writing there instead of mapping it somewhere else without telling me? At the moment, if I alter a file for (say) a service, I get no warning and no indication of anything other than a successful write to the file, but whichever account the service runs as sees something different. Unacceptable behaviour.
Um, isn't that exactly what happens in OS X with Preferences?

In OS X (and *NIX???), USER preferences are stored in the USER's "Home" directory. That way, permissions to write the "Applications" directory can be more tightly controlled, AND the USER can be granted permission to write in a relatively safe place (safe "system-wise", that is).

Far be it for me to laud anything MacroSuck does; but, to me, this "symlink" just appears to be MS's attempt to provide a modicum of security for system and application files, while not breaking backward compatibility for every-single-bullshit-written-app that required Admin privileges just because the DEVELOPER was TOO LAZY to put USER settings in the PER USER "Documents and Settings" Directory(ies), and instead wanted to spray files all over the SYSTEM and APPLICATION directories (which are NOT USER-SPECIFIC, of course). And before you cite the meme that "Windows Vista7 doesn't care about backward compatibility.", keep in mind just HOW stupid and suicidal such a move would be for MS if it were TRULY the case...

With OS X's Package approach, you get the best of both worlds: Dependencies are grouped together for easy maintenance, copying, and REMOVAL; but things like Preferences are not only PER USER, but they are in a place that can be written WITHOUT FEAR OF SYSTEM COMPROMISE!!!

Sheesh! Is it REALLY so hard???
Re:Microsoft already replied by PopeRatzo · 2009-02-02 01:10 · Score: 2, Insightful

A hole's a hole.
And a beta's a beta.
That's why they make disclaimers.

--
You are welcome on my lawn.
Re:Microsoft already replied by Jurily · 2009-02-02 01:50 · Score: 2, Informative

Unix and Linux are thankfully spared a lot of this.
*nix has a well thought-out multi-user structure.
In Windows it was bolted on a basically single-user design originating with DOS. They try to do it right, but they can't break everything when backwards compatibility is all that keeps their empire from falling apart.
Remember the Windows 98 home directory? Me neither. Noone used it except Microsoft.
Re:Microsoft already replied by Nursie · 2009-02-02 02:12 · Score: 2, Insightful

"not breaking backward compatibility for every-single-bullshit-written-app that required Admin privileges just because the DEVELOPER was TOO LAZY to put USER settings in the PER USER "Documents and Settings" Directory(ies),"
Who said ANYTHING about user settings?
You know MS push their OS's for corporate and server use, right? And that they've got this UAC bullshit in 2k8 as well?
and instead wanted to spray files all over the SYSTEM and APPLICATION directories (which are NOT USER-SPECIFIC, of course).
Which is precisely the FUCKING point for a SYSTEMWIDE SERVER APPLICATION. Users with the correct permissions should be able to edit the file, and the process (running as a different user) should be able to read the file. NOT have it SILENTLY squirreled away somewhere else.
Spring up another warning, log an error, do whatever, but don't silently pull this shit.
Re:Microsoft already replied by Foolhardy · 2009-02-02 02:20 · Score: 3, Insightful

The preference files in the Windows user directories are hidden in arcane locations.
It took me 5 seconds to google some docs for user profile paths: User Data and Settings Management

Makes sense that the Outlook data would be in C:\Documents and Settings\\Program Data\Microsoft\Outlook but it's not.
Instead, the roaming stuff goes into:
C:\Documents and Settings\USERNAME\Application Data\Microsoft\Outlook
And the non-roaming stuff goes into
C:\Documents and Settings\USERNAME\Local Settings\Application Data\Microsoft\Outlook
Doesn't seem so awful.

The only way to ehfin find it is to back the stuff up! What if the computer crashed and I can't RUN outlook???? I'm hosed (this actually happened)
Copy the user profile over?
Re:Microsoft already replied by GooberToo · 2009-02-02 02:49 · Score: 2, Interesting

but almost no game worked correctly
This is usually caused by DRM and/or anti-cheat software used by the game.
Re:Microsoft already replied by techprophet · 2009-02-02 03:57 · Score: 2, Insightful

Google was unavailable at the time. If you have to google to find where your application data is, it is arcane.

Funny, if you have to google it in Linux, it's hard to use, but if you have to google it in Windows, it's obvious.

Mechanical Analog by pm_rat_poison · 2009-02-01 22:18 · Score: 4, Funny

So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!

Re:Mechanical Analog by Anonymous Coward · 2009-02-01 22:19 · Score: 5, Funny

the worst car analogy I've seen on slashdot for a while.
Re:Mechanical Analog by pm_rat_poison · 2009-02-01 22:21 · Score: 4, Funny

It's so bad a car analogy, that it doesn't even have cars.
Re:Mechanical Analog by Anonymous Coward · 2009-02-01 22:34 · Score: 2, Funny

You must be new here, that IS a proper car analogy on slashdot.
Re:Mechanical Analog by mdielmann · 2009-02-02 06:15 · Score: 2, Funny

(from GGP)

So, basically, what they did was build a big sturdy door (UAC) and put the treasure (system settings) behind it. Normally you need magic keys (certificates) to enter the door. Then, they built a button that unlocks the door from the outside. Wow!
the worst car analogy I've seen on slashdot for a while.
It's so bad a car analogy, that it doesn't even have cars.
I prefer to think of that as a chastity belt analogy. Put in that light, I think it's a great design!

--
Sure I'm paranoid, but am I paranoid enough?

Early by TehPhoenux · 2009-02-01 22:20 · Score: 2, Insightful

Hey, at least they found it early - this is what beta's are for - now they can build a lock for that door

How hard is it to copy something... by 51M02 · 2009-02-01 22:37 · Score: 5, Insightful

correctly.

I mean, Linux and MacOSX (and others) have sudo for years, the original code dating back to 1980 according to Wikipedia.

The concept is not new : type your password to gain access to some privileges. That way bots and virus can't do everything while you can still administrative tasks easily.

My question is how hard is it to copy some 25 years old functionality (marketing it as brand new) and still don't get it right.

--
--- Bouh !!! ---

whoa, recursive Meta-UAC by rarel · 2009-02-01 22:40 · Score: 5, Funny

From TFA: Microsoft could remedy the problem by prompting the user when the UAC setting is altered.

==============

"It look like you're trying to alter the UAC settings, Cancel or Allow?"
*click*
"It looks like you've confirmed the change in UAC settings, Cancel or Allow?"
*click*
"The UAC settings have been altered, Cancel or Allow?"
*click**click**click**click**click*-----INPUT DEVICE FAILURE

It's a double-edged sword by jimicus · 2009-02-01 22:40 · Score: 3, Insightful

With Vista, there's no (official, at least) way to disable UAC except by a user actively going to Control Panel and disabling it.

This breaks a lot of things - particularly a lot of stuff concerning scripted/automated installers.

The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, a lot of the protection offered by UAC disappears.

Re:It's a double-edged sword by yakumo.unr · 2009-02-01 22:54 · Score: 3, Insightful

The obvious solution to this is to provide a way for a script to disable and enable UAC. But as soon as you do that, ALL of the protection offered by UAC disappears.
Fixed.
Re:It's a double-edged sword by Seth+Kriticos · 2009-02-01 23:24 · Score: 2, Insightful

Wait a sec. When did the UAC ever provide protection for the system? Even before it appeared, nobody read the waring dialogs. The design failure was to try improving the security by prompting even more dialogs which led to the phenomenon that even less of those dialogs were ever read.

I still think it would be a better way to teach the user about security than to prompt him messages he/she does not understand anyway.

How about including a security and basic computer usage tutorial in the OS? Put in some porn and computer security will rise at once!
Re:It's a double-edged sword by ciderVisor · 2009-02-02 04:00 · Score: 2, Funny

Put in some porn and computer security will rise at once!
Ah, so you call him "Computer Security", do you ?
Kinky !

--
Squirrel!

Pointless. by janopdm · 2009-02-01 22:45 · Score: 3, Interesting

Tell me about security holes after Microsoft fix the following UAC issues:

Any process can perform a read on the whole system disregarding integrity levels.
Any installer runs with full access to the system, allowing even kernel modifications.
Any process can send a window message to any other process disregarding integrity levels.
UAC uses heuristics to find out which privileges are required by each program.

UAC by essence · 2009-02-01 22:54 · Score: 4, Funny

all this talk of UAC makes me feel like playing some doom again.

Security in UAC by SeaFox · 2009-02-01 22:54 · Score: 4, Insightful

The biggest security hole in Windows 7's UAC is the user.

Re:Security in UAC by mrapps · 2009-02-01 23:04 · Score: 2, Insightful

The biggest hole in ANY system is the user. Not particularly a Windows 7 user..

Long Zheng seems like a nice bloke by amirulbahr · 2009-02-01 23:01 · Score: 3, Informative

but is certainly no security expert.

Re:Long Zheng seems like a nice bloke by moriya · 2009-02-01 23:47 · Score: 2, Funny

Actually... I doubt I'd call him nice since... well, I'll quote a small excerpt from the link:

First, I was originally going to blackmail Microsoft for a large ransom for the details of this flaw, but in these uncertain economic times, their ransom fund has probably been cut back so I'm just going to share this for free.
Let's see what other people think of him now...

--
~ Old Warriors Society

Watchmen by Thanshin · 2009-02-01 23:01 · Score: 2, Funny

But... Who controls the user acces to the user access control?

"A prolific blogger ..." by timmarhy · 2009-02-01 23:10 · Score: 5, Insightful

people if that's not a big big warning sign i don't know what is. you know what this guy has discovered? if you login as administrator, attackers can do the same things you can.

This is no different to me browsing the web as root in linux and running any shit that pops up

--
If you mod me down, I will become more powerful than you can imagine....

Anonymous submitters by macraig · 2009-02-01 23:10 · Score: 4, Interesting

I wonder if Slashdot should allow anonymous article submissions? Isn't it useful information to know if the submitter is also the subject of the article or its reference source? Shouldn't we be allowed to know that, so we can better judge the credibility of the article and its source(s)? Transparency is ALWAYS good.

What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?

Re:Anonymous submitters by MichaelSmith · 2009-02-01 23:36 · Score: 4, Informative

What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
That would certainly be something.

--
http://michaelsmith.id.au
Re:Anonymous submitters by Coppit · 2009-02-02 00:42 · Score: 3, Funny

What if the anonymous reader who submitted this was Roland P.? Wouldn't we wanna know that?
Yeah, I sure as hell would want to know that!

Hmmm by Mr_Silver · 2009-02-01 23:29 · Score: 2, Insightful

Seems like an odd bit of "by design".

Unless i'm mistaken, I (as a user) could download an application and run it on the mistaken assumption that my UAC settings would alert me if anything suspicious is going to happen.

The application could then drop my security level to the lowest possible (without me knowing) and then start silently installing a bunch of other stuff with no UAC prompts. If it was particulary careful, it could then reset the UAC level back to the what it was before it started.

I'm now completely compromised without the slightest indication that anything suspicious happened.

--
Avantslash - View Slashdot cleanly on your mobile phone.

UAC is a stupid idea by Peaker · 2009-02-02 00:42 · Score: 2, Insightful

If you look at the computer as a whole, it is incredibly stupid that after the user selects some option, the computer will pop up a dialog asking the user if he is indeed the one who selected this option.

I realize the series of historic accidents that led to this absurd situation - but couldn't they figure out a better way that does not make the computer behave so incredibly stupidly?

Re:UAC is a stupid idea by JasterBobaMereel · 2009-02-02 01:44 · Score: 2, Insightful

The problem is there is in Windows no difference between an interactive task and an interactive task that presents no interface, this means that UAC has to prompt for the very very obvious like "did you really press the button marked install" because it has no idea if the user did something or it was done for them ...
Because Microsoft does not have a proper installer interface that installs programs for you.. instead each program has it's own installer/updater Windows has no control over the process and does not know if the user has been asked or not ... Unix style package management systems are one solution where the install is managed by one system which asks the users permission then monitors the installation process ...

--
Puteulanus fenestra mortis

Ooh goody! by PontifexMaximus · 2009-02-02 01:16 · Score: 2, Interesting

ANOTHER prompt! I have a great idea, why doesn't MS prompt the user telling them they are about to be prompted? Wouldn't that be just grand?

'You have hit the A on the keyboard. Continue (Y/N)?'

Genius.

--
Pax Vobiscum

Re:Ooh goody! by Culture20 · 2009-02-02 04:18 · Score: 2, Funny

Evil genius if it also works on the Y and N keys.

Re:Why does Windows make such a meal of user secur by magamiako1 · 2009-02-02 01:23 · Score: 2, Informative

Viol8:

UAC mimics much of the functionality present in a lot of Linux applications. You need root to install the application, but you don't need root to launch the application.

At least, this is exactly how Microsoft has it designed. And anything that requires administrative privileges should have a service that starts as admin/root and then the client side process should be low privileged.

This is exactly how Microsoft has it setup. The problem is that a lot of application developers are lazy. They don't want to write software for how Microsoft wants it to be written. This has, essentially been how Microsoft has intended software to be written for years. C:\Documents and Settings\User\Application Data has only been around since the Windows 2000 days.

The aforementioned design, however, has never been enforced by Microsoft.

And the worst part about it is that users themselves are asking for software to be written poorly. All you have to do is to take a quick look over at the ZSNES forums where the developers openly asked its users how they should store configurations now that UAC gets in the way, and the users tell them "We want it to be more portable!"

That's fine and all, if you want to install all applications to C:\Users\. But like Linux, there are folder conventions.

It's all there, everything. The environment for writing secure products that don't get exploited that run within the context of a limited user are all built into the OS already.

Microsoft even went out of their way to "virtualize" Program Files for applications that fail to follow the proper format.

Bugs in Beta? by Lord+Byron+II · 2009-02-02 01:34 · Score: 2, Insightful

Why are we talking about a bug in beta software? This is code that is still 6-12 months from release.

UAC isn't "security" by argent · 2009-02-02 01:49 · Score: 4, Interesting

UAC is a hack to deal with the problem that the Win32 API is full of inherent security holes that would require changing lots third-party software to fix. So they put a prompt up if a program is about to use one of the features that contain or implement part of one of these security holes.

The only real way to fix it is to implement a designed-for-security API and designate Win32 and everything based on it "legacy", only run in a sandbox.

Which is what Windows 7 was rumored to be, a couple years ago.

Re:UAC isn't "security" by rsmith-mac · 2009-02-02 02:46 · Score: 2, Insightful

At some point this tripe gets ridiculous, particularly when Vista has been out there for over 2 years now. The Win32 API has its flaws, but security issues are due to problems with the underlying OS, not the API.
If there are security flaws in the Win32 API as implemented by Vista, please by all means point them out. But I'm going to be surprised if you can point out anything that doesn't fall under "It's a system level change, you need admin credentials moron" school of thought. Most people don't understand security nearly as well as they think they do, and Slashdot is no different.
Re:UAC isn't "security" by argent · 2009-02-02 03:02 · Score: 2, Insightful

Since everything in the OS is exposed via the Win32 API... you can't even see the NT kernel API unless you're someone like Softway Systems... the difference is academic. So is "it's a system level change", when it's a system level change that thousands of applications (for many of which the source is no longer available) depend on.
"There are APIs in Windows that applications have been written to use, that should not be exposed to untrusted applications. These APIs can not be blocked without breaking too many legacy applications, so UAC makes the user responsible for deciding when they should be allowed." Better?
The fact that these APIs were made available for general use was a security flaw, but one that didn't much matter when there was no security. Now they make security impossible.
This is the same logic as the stupid security dialogs in IE and other applications that use the Microsoft HTML control. It's not "security", it's "we're afraid to make the OS/libraries/COM objects/APIs secure, so we're putting it on you, the user".
Re:UAC isn't "security" by rsmith-mac · 2009-02-02 03:30 · Score: 2, Insightful

Should the user not be free to run software as they please then? Because there are plenty of complaints just in this article that are people bitching about just that - how Vista is somehow preventing them from doing what they want. Should "untrusted applications" be everything other than a select few applications that only Microsoft gets to define?
And if not, how should users tell the OS that an application is trusted? Perhaps they could indicate that in some kind of dialog box...
At the end of the day the user is the only one responsible for their system. If they want to run an application that will wipe their hard drives, drink all their beer, and knock up their wife, then that is their right, and their responsibility. Sadly too few people seem to understand the latter part of that.

Re:Ubuntu is vulnerable! by redxxx · 2009-02-02 02:11 · Score: 2, Insightful

Note that most distributions don't enable sudo for the user account per default (not even Ubuntu's parent distro, Debian), it would be interesting what the Ubuntu folks would say if you suggested turning off sudo per default.

Then users will need to know their administrator password, and will end up using it as an account.

Sudo prevents a certain large segment of the potential Ubuntu population from being retarded. It's a calculated risk, but I don't think they would change their position. It is not one they arrived at by chance.

This is completely false. by coryking · 2009-02-02 13:46 · Score: 4, Informative

That is 100% not true. Your user account *is running as a regular user* no matter what group it is in. It doesn't matter if you are in the admin group (unless you stupidly disable UAC, in which case you basically run as root).

"UAC" = "sudo [program name]" "Vista, Administrator Group" = "your account is in /etc/sudoers with 'username = NOPASSWD: [your program]'" "Vista, non admin group" = "sudo [program name] with password, but that depends on the group policy... "

Your highly moderated post is 100% mis-information and is *not true*. YOU ARE NOT RUNNING AS ROOT UNTIL YOU ELEVATE VIA UAC!!

Slashdot Mirror

Security Hole In Windows 7 UAC

82 of 388 comments (clear)